Inspection Policy Maps; Replacing An In-Use Inspection Policy Map - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 12
Getting Started with Application Layer Protocol Inspection
Other applications embed an IP address in the packet that needs to match the source address that is
normally translated when it goes through the ASA.
If you use applications like these, then you need to enable application inspection.
When you enable application inspection for a service that embeds IP addresses, the ASA translates
embedded addresses and updates any checksum or other fields that are affected by the translation.
When you enable application inspection for a service that uses dynamically assigned ports, the ASA
monitors sessions to identify the dynamic port assignments, and permits data exchange on these ports
for the duration of the specific session.
Inspection Policy Maps
You can configure special actions for many application inspections using an inspection policy map.
These maps are optional: you can enable inspection for a protocol that supports inspection policy maps
without configuring a map. These maps are needed only if you want something other than the default
inspection actions.
See
inspection policy maps.
An inspection policy map consists of one or more of the following elements. The exact options available
for an inspection policy map depends on the application.
•
•
•
The following topics provide more details:
•
•
Replacing an In-Use Inspection Policy Map
If you need to replace an inspection policy map that you are already using in a service policy, use the
following methods:
•
Configure Application Layer Protocol Inspection, page 12-9
Traffic matching criteria—You match application traffic to criteria specific to the application, such
as a URL string, for which you then enable actions.
For some traffic matching criteria, you use regular expressions to match text inside a packet. Be sure
to create and test the regular expressions before you configure the policy map, either singly or
grouped together in a regular expression class map.
Inspection class map—Some inspection policy maps let you use an inspection class map to include
multiple traffic matching criteria. You then identify the inspection class map in the inspection policy
map and enable actions for the class as a whole. The difference between creating a class map and
defining the traffic match directly in the inspection policy map is that you can create more complex
match criteria and you can reuse class maps. However, you cannot set different actions for different
matches.
Parameters—Parameters affect the behavior of the inspection engine.
Replacing an In-Use Inspection Policy Map, page 12-3
How Multiple Traffic Classes are Handled, page 12-4
All inspection policy maps—If you want to exchange an in-use inspection policy map for a different
map name, you must remove the inspect protocol map command, and add it back with the new map.
For example:
hostname(config)# policy-map test
hostname(config-pmap)# class sip
hostname(config-pmap-c)# no inspect sip sip-map1
hostname(config-pmap-c)# inspect sip sip-map2
Application Layer Protocol Inspection
for a list of applications that support
Cisco ASA Series Firewall CLI Configuration Guide
12-3
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
